broomva/autonomous is a markdown skill — it contains no executable code. The skill loads as system-prompt augmentation into an LLM agent (Claude Code, Codex, Cursor, Cline, Gemini CLI, etc.) and shapes the agent's behavior during execution-mode work.
The skill itself cannot execute commands, exfiltrate data, or modify systems. It can only influence the agent that loads it. Agents executing under this skill operate with the full permissions of their host environment — so the trust boundary is at the agent host, not at the skill.
The realistic threat surfaces for a markdown skill like this one:
| Threat | Surface | Mitigation |
|---|---|---|
| Skill content tampering | Anyone with write access to the repo's main branch |
Branch protection (signed commits encouraged); CI validate.yml regression-guards structural invariants |
Supply-chain via npx skills add |
Pulls from https://github.com/broomva/autonomous directly |
Repo is open-source, content is auditable line-by-line in SKILL.md |
| Prompt-injection through the skill | A malicious SKILL.md could instruct the agent to take harmful actions | Use only broomva/* skills from this org; verify the skill content matches what's documented at the repo root before installing |
| Rationalization weakening | A loosening commit could let agents bypass discipline | All SKILL.md changes must verify under pressure scenarios (see CONTRIBUTING.md and tests/pressure-scenarios.md) |
The skill strengthens safety in agent sessions by binding the agent to bstack's primitive contract — including P2 (Control Gate) which is the actual destructive-op shield. The skill does not weaken any existing shield.
If you discover a security issue — for example, a rationalization that lets an agent bypass P2, exfiltrate secrets, or persist destructive state across sessions — please do not open a public issue.
Email instead: carlosdavidescobar@gmail.com with subject prefix [broomva/autonomous security].
Include:
- The user directive that triggered the unsafe behavior (verbatim)
- The skill section that should have prevented it (specific line)
- The actual rationalization the agent produced
- Reproduction steps — minimum viable scenario
Response timeline: best-effort within 7 days. Critical vulnerabilities (active exploit, credential leakage) are prioritized.
Once a vulnerability is fixed, the fix lands in main and a CHANGELOG entry credits the reporter (unless anonymity is requested).
- Issues in the agent host itself (Claude Code, Codex, etc.) — report to the host vendor
- Issues in bstack primitives (P1–P16) — report to
broomva/bstack - Issues in the universal role contract prompt — report to
broomva/broomva.tech - Issues in dependent skills (
broomva/persist,broomva/p9, etc.) — report to those repos individually